Gwar

Details

Summary

Gwar is a boot virus that infects MBR of hard disks and floppy boot records. The virus
is one sector long. It is partially encrypted. Gwar is a stealth and resident virus.

Removal

Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

More information on scanning and removal options available in your F-Secure product
can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

The system is infected after booting from an infected floppy or after executing COM
or EXE file infected by Messev.3158 virus that acts as a dropper for Gwar. Before
infecting the hard disk with the Gwar the Messev.3158 tries to delete Windows 95 floppy
device driver HSFLOP.PDR, but there's an error in the virus and this never happens.
Floppy boot records are infected by the virus on first access to them.

When infecting hard disks the virus (or a dropper) copies the original MBR to 0/0/2
(h/t/s) and since then all logical hard disks become inaccessible when booting from
a system diskette. To disinfect the virus the original MBR should be copied back to
0/0/1 (h/t/s).

On bootup the virus copies itself to interrupt table area 0020:0000, decrypts its
payload part, checks current date and if it is the 2nd of May the payload is activated.
First the virus blocks the keyboard and outputs blinking text:

'Gwar virus v1.3, (c) 1998 by T-2000 / Invaders'

Then it starts to incrementally write 8 sector-long areas containing a part of virus
body (from the message offset) to track 1/head 2 and printing the screen's contents
on every write operation.

If the date is not May 2nd, the virus copies Int 13h handler address (that points
to BIOS at startup) to 0000:01F8 (Int FEh) and uses Int FEh for disk access since
then. This trick allows the virus to evade resident behaviour blockers and to perform
its stealth procedure. Then the virus loads the original MBR to 0000:7C00 and passes
control to it.

The Int FEh stealth procedure of Gwar virus substitutes the infected MBR with the
original one located at 0/0/2 (h/t/s), so the infection is not seen when the virus
is in memory.

Technical Details:Alexey Podrezov, Szor Peter; F-Secure, 1998

SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis